[kokoro] testing: use secrets manager (#3857)

GoogleCloudPlatform · May 22, 2020 · 79b0d63 · 79b0d63
1 parent a3a1e40
commit 79b0d63
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 15 deletions.
diff --git a/.kokoro/lint/common.cfg b/.kokoro/lint/common.cfg
@@ -17,7 +17,7 @@
 # Configure the docker image for kokoro-trampoline.
 env_vars: {
     key: "TRAMPOLINE_IMAGE"
-    value: "gcr.io/cloud-devrel-kokoro-resources/python"
+    value: "gcr.io/cloud-devrel-kokoro-resources/python-samples-testing-docker"
 }
 
 # Download trampoline resources.

diff --git a/.kokoro/tests/run_tests.sh b/.kokoro/tests/run_tests.sh
@@ -37,9 +37,11 @@ cd github/python-docs-samples
 # install nox for testing
 pip install -q nox
 
-# Unencrypt and extract secrets
-SECRETS_PASSWORD=$(cat "${KOKORO_GFILE_DIR}/secrets-password.txt")
-./scripts/decrypt-secrets.sh "${SECRETS_PASSWORD}"
+# Use secrets acessor service account to get secrets
+gcloud auth activate-service-account \
+      --key-file="${KOKORO_GFILE_DIR}/secrets_viewer_service_account.json" \
+      --project="cloud-devrel-kokoro-resources"
+./scripts/decrypt-secrets.sh
 
 source ./testing/test-env.sh
 export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/testing/service-account.json

diff --git a/scripts/decrypt-secrets.sh b/scripts/decrypt-secrets.sh
@@ -20,7 +20,6 @@ ROOT=$( dirname "$DIR" )
 # Work from the project root.
 cd $ROOT
 
-openssl aes-256-cbc -k "$1" -md sha256 \
-	-in testing/secrets.tar.enc -out secrets.tar -d
-tar xvf secrets.tar
-rm secrets.tar
+gcloud secrets versions access latest --secret="python-docs-samples-test-env" > testing/test-env.sh
+gcloud secrets versions access latest --secret="python-docs-samples-service-account" > testing/service-account.json
+gcloud secrets versions access latest --secret="python-docs-samples-client-secrets" > testing/client-secrets.json
diff --git a/scripts/encrypt-secrets.sh b/scripts/encrypt-secrets.sh
@@ -20,10 +20,6 @@ ROOT=$( dirname "$DIR" )
 # Work from the project root.
 cd $ROOT
 
-read -s -p "Enter password for encryption: " PASSWORD
-echo
-
-tar cvf secrets.tar testing/{service-account.json,client-secrets.json,test-env.sh}
-openssl aes-256-cbc -k "$PASSWORD" -md sha256 \
-	-in secrets.tar -out testing/secrets.tar.enc
-rm secrets.tar
+gcloud secrets versions add "python-docs-samples-test-env" --data-file="testing/test-env.sh"
+gcloud secrets versions add "python-docs-samples-service-account" --data-file="testing/service-account.json"
+gcloud secrets versions add "python-docs-samples-client-secrets" --data-file="testing/test-env.sh"
diff --git a/testing/secrets.tar.enc b/testing/secrets.tar.enc